Recent disclosure of the highly publicized Heartbleed bug again brings attention to security of communication over the Internet. Security of the Logentries service and the customer data we store has always been paramount for us, and we believe that security is a shared responsibility. To that point, I want to share with you the steps we take toward this contract.
First of all, we don’t support weak encryption. This means that if you decide to send us data encrypted, you cannot do it insecurely. We achieve it via disabling all encryption combinations that are not widely believed to be perfectly secure. We support only the best industry encryption standards. And the minimal key size is 128 bits.
Additionally, we prioritize Perfect forward secrecy for all communication. PFS generates new public keys for every new session (Diffie-Hellman key exchange). Once the session is closed, keys are forgotten and the communication remains secure even if it has been recorded and long-term keys compromised. This means that if there ever is a case where the private keys are leaked, no previous communication would be compromised.
We recently deployed specific certificates for our API and data endpoints. We don’t use our generic wildcard certificate for them because certain syslogs do not implement wilcard-certificate validation correctly. In some cases they fail silently which is particularly dangerous, and this will not happen with the Logentries service. Our agent supports encryption and certificate validation out of the box. If encryption is not available (unlikely) it warns the user on every run.
We will continue to keep an eye on recent developments in securing communication. We are committed to provide the best possible and most secure approaches to sending your log data to us.